Before October 30, 2023, the Container Intelligence Operations service (AIOps suite) used the ACK management service role AliyunCSDefaultRole. To enhance default security controls, the service will use a converged, dedicated RAM service role to access authorized user resources, including all ACK clusters, starting October 30, 2023.
Impact of this change
Starting October 30, 2023, new instances of Container Service for Kubernetes and newly created ACK clusters will be granted the AliyunCISDefaultRole access policy by default.
-
For clusters created before October 30, 2023, you will see an authorization prompt when you use Container Intelligence Operations features such as cluster inspection or cluster diagnostics.
-
For clusters created on or after October 30, 2023, you will see an authorization prompt during cluster creation.
Grant permissions to the role
After the RAM role permission convergence, the Container Intelligence Operations service no longer uses AliyunCSDefaultRole. Instead, it uses the default system role AliyunCISDefaultRole. You will be prompted to grant permissions to this system role when you create a cluster in the ACK console or use the Container Intelligence Operations console.
-
Log on with your Alibaba Cloud account or a RAM user that has the AliyunRAMFullAccess or AdministratorAccess policy. Click Go to RAM console to go to the RAM authorization page.
NoteIf you create clusters or use Container Intelligence Operations features using OpenAPI, use the authorization link.
-
At the bottom of the authorization page, click Authorize.
Log back in to the Container Intelligence Operations console to use diagnostics, inspection, and other features.
References
For more information about the AliyunCISDefaultRole policy, see Add authorization.